Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Jun 2011 04:32:04 +0200
From: Mango <>
Subject: CVE Request: phpMyAdmin 3.4 Multiple Vulnerabilities

I've found a bunch of vulnerabilities in the latest release of phpMyAdmin.

Vuln 1:
Any variable in the super global $_SESSION array can be overwritten or
created with an arbitrate value.

Vuln 2:
A (common) misconfiguration of phpMyAdmin allows content from the $_SESSION
array can be written to a .php-file.
Combined with Vuln 1 this becomes a conditional remote code execution.

Vuln 3:
Content from the $_SESSION array are (post authentication) used as input to
a function that can execute PHP code.
Under the current circumstances a previously unknown null byte string
truncation in this function is used.
I have only been able to reproduce this string truncation on PHP 5.2.13
running on Windows 7 and I've failed to reproduce it on PHP 5.2.13 running
on OpenBSD 4.7 and PHP 5.2.17 running on Linux 2.6.18. I do lack
the necessary C++ debugging skills to find out why this only works on my
windows box.
Combined with Vuln 1 this becomes an authenticated remote code execution.

Vuln 4:
Under a certain configuration an authenticated attacker can include a local
file and interpret it's content as PHP.
By modifying values in the $_SESSION array a cache holding the required
configuration option can be temporarily altered during run time.
If combined with Vuln 1 all configurations are vulnerable to this
authenticated local file inclusion.

Vuln 2 & 3 does not rely on Vuln 1 since the $_SESSION array could also be
modified by a local attacker trying to elevate his/hers privileges in an
improperly configured shared environment.
Do I need 4 CVEs?

/Mango -

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ